- Dynamic User Creation
- Dynamic Group Creation
- Dynamic Group Membership Creation
- Dynamic Permission Set Creation
- Dynamic Account Assignment Creation
- Dynamic Reference of Existing Users
- Dynamic Reference of Existing Groups
- AWS Managed Policy Support
- Customer Managed Policy Support
- Dynamic Application Creation (with Portal Options, Users and Groups assignments and Assignments Access Scopes configuration)
- Locals are used to allow for global changes to multiple account assignments. If hard coding the account ids for your account assignments, you would need to change them in every place you want to reference the value. To simplify this, we recommend storing your desired account ids in local values. See the
examplesdirectory for more information and sample code. - When using Customer Managed Policies with account assignments, you must ensure these policies exist in all target accounts before using the module. Failure to do this will cause deployment errors because IAM Identity Center will attempt to reference policies that do not exist.
- Ensure that the name of your object(s) match the name of your principal(s) (e.g. user name or group name). See the following example with object/principal names 'Admin' and 'nuzumaki':
sso_groups = {
Admin : {
group_name = "Admin"
group_description = "Admin IAM Identity Center Group"
},
}
// Create desired USERS in IAM Identity Center
sso_users = {
nuzumaki : {
group_membership = ["Admin",]
user_name = "nuzumaki"
given_name = "Naruto"
family_name = "Uzumaki"
email = "[email protected]"
},
}
// Create desired Applications in IAM Identity Center
sso_applications = {
FirstApplication : {
application_provider_arn = "arn:aws:sso::aws:applicationProvider/custom"
description = "I am the First Application"
name = "FirstApplication"
portal_options = {
sign_in_options = {
application_url = "http://example.com"
origin = "APPLICATION"
}
visibility = "ENABLED"
}
status = "ENABLED"
assignment_required = true
assignments_access_scope = [
{
authorized_targets = ["FirstApplication"]
scope = "sso:account:access"
}
]
group_assignments = ["Dev"]
user_assignments = ["nuzumaki"]
}
}
The object/principal names are referenced throughout the module. Failure to follow this guidance may lead to unintentional errors such as the following:
Error: Invalid index
│
│ on ../../main.tf line 141, in resource "aws_identitystore_group_membership" "sso_group_membership":
│ 141: member_id = (contains(local.this_users, each.value.user_name) ? aws_identitystore_user.sso_users[each.value.user_name].user_id : data.aws_identitystore_user.existing_sso_users[each.value.user_name].id)
│ ├────────────────
│ │ aws_identitystore_user.sso_users is object with 2 attributes
│ │ each.value.user_name is "nuzumaki"
│
│ The given key does not identify an element in this collection value.
To resolve this, ensure your object and principal names are the same (case-sensitive) and re-run terraform plan and terraform apply.
// This is a template file for a basic deployment.
// Modify the parameters below with actual values
module "aws-iam-identity-center" {
source = "aws-ia/iam-identity-center/aws"
// Create desired GROUPS in IAM Identity Center
sso_groups = {
Admin : {
group_name = "Admin"
group_description = "Admin IAM Identity Center Group"
},
Dev : {
group_name = "Dev"
group_description = "Dev IAM Identity Center Group"
},
QA : {
group_name = "QA"
group_description = "QA IAM Identity Center Group"
},
Audit : {
group_name = "Audit"
group_description = "Audit IAM Identity Center Group"
},
}
// Create desired USERS in IAM Identity Center
sso_users = {
nuzumaki : {
group_membership = ["Admin", "Dev", "QA", "Audit"]
user_name = "nuzumaki"
given_name = "Naruto"
family_name = "Uzumaki"
email = "[email protected]"
},
suchiha : {
group_membership = ["QA", "Audit"]
user_name = "suchiha"
given_name = "Sasuke"
family_name = "Uchiha"
email = "[email protected]"
},
}
// Create permissions sets backed by AWS managed policies
permission_sets = {
AdministratorAccess = {
description = "Provides AWS full access permissions.",
session_duration = "PT4H", // how long until session expires - this means 4 hours. max is 12 hours
aws_managed_policies = ["arn:aws:iam::aws:policy/AdministratorAccess"]
tags = { ManagedBy = "Terraform" }
},
ViewOnlyAccess = {
description = "Provides AWS view only permissions.",
session_duration = "PT3H", // how long until session expires - this means 3 hours. max is 12 hours
aws_managed_policies = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
tags = { ManagedBy = "Terraform" }
},
CustomPermissionAccess = {
description = "Provides CustomPoweruser permissions.",
session_duration = "PT3H", // how long until session expires - this means 3 hours. max is 12 hours
aws_managed_policies = [
"arn:aws:iam::aws:policy/ReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
]
inline_policy = data.aws_iam_policy_document.CustomPermissionInlinePolicy.json
// Only either managed_policy_arn or customer_managed_policy_reference can be specified.
// Before using customer_managed_policy_reference, first deploy the policy to the account.
// Don't in-place managed_policy_arn to/from customer_managed_policy_reference, delete it once.
permissions_boundary = {
// managed_policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
customer_managed_policy_reference = {
name = "ExamplePermissionsBoundaryPolicy"
// path = "/"
}
}
tags = { ManagedBy = "Terraform" }
},
}
// Assign users/groups access to accounts with the specified permissions
account_assignments = {
Admin : {
principal_name = "Admin" # name of the user or group you wish to have access to the account(s)
principal_type = "GROUP" # principal type (user or group) you wish to have access to the account(s)
principal_idp = "INTERNAL" # type of Identity Provider you are using. Valid values are "INTERNAL" (using Identity Store) or "EXTERNAL" (using external IdP such as EntraID, Okta, Google, etc.)
permission_sets = ["AdministratorAccess", "ViewOnlyAccess"] # permissions the user/group will have in the account(s)
account_ids = [ # account(s) the group will have access to. Permissions they will have in account are above line
"111111111111", // replace with your desired account id
"222222222222", // replace with your desired account id
]
},
Audit : {
principal_name = "Audit"
principal_type = "GROUP"
principal_idp = "INTERNAL"
permission_sets = ["ViewOnlyAccess"]
account_ids = [
"111111111111",
"222222222222",
]
},
}
} // Create desired Applications in IAM Identity Center
sso_applications = {
FirstApplication : {
application_provider_arn = "arn:aws:sso::aws:applicationProvider/custom"
description = "I am the First Application"
name = "FirstApplication"
portal_options = {
sign_in_options = {
application_url = "http://example.com"
origin = "APPLICATION"
}
visibility = "ENABLED"
}
status = "ENABLED"
assignment_required = true
assignments_access_scope = [
{
authorized_targets = ["FirstApplication"]
scope = "sso:account:access"
}
]
group_assignments = ["Dev"]
user_assignments = ["nuzumaki"]
}
}
See the CONTRIBUTING.md file for information on how to contribute.